Summary:
In 2024, small and midsized businesses continued to be significant targets for cybercriminals, with ransomware standing out as the most prominent threat. Sophos reported that ransomware was responsible for 70% of its Incident Response cases involving small businesses and over 90% for midsized organizations. Even though the number of ransomware incidents slightly declined, the financial and operational impact of each attack increased. Attackers increasingly used "remote ransomware" methods, executing attacks from outside endpoint detection ranges, often via unmanaged devices, to evade traditional defenses. Data theft and extortion became more common, with many actors opting to steal data and demand ransom without encrypting files. Initial access to these businesses often came through compromised network edge devices, including firewalls and VPN appliances, frequently due to unpatched vulnerabilities. Despite the availability of patches, many systems remained exploitable because organizations had not updated them, or the patches were applied too late, after compromise had already occurred.

Security Officer Comments:
Edge devices are increasingly being targeted as a means to gain initial access to organizational networks. Earlier this month, Mandiant reported that actors were exploiting a critical buffer overflow vulnerability impacting Ivanti Connect Secure VPN appliances to deploy various payloads on compromised systems including TRAILBLAZ, an in-memory only dropper, BRUSHFIRE a passive backdoor, and the SPAWN malware ecosystem, attributed to UNC5221, a suspected China-nexus espionage actor. More recently, the Shadowserver Foundation reported a significant surge in compromised Fortinet devices, revealing that over 16,000 internet-exposed systems had been infected with a newly identified symlink backdoor. This backdoor allows attackers read-only access to sensitive files on devices that were previously breached, posing an ongoing risk even after initial compromise. Overall, these developments underscore the growing vulnerability of edge infrastructure and the urgent need for proactive patching, robust monitoring, and proper network segmentation.

Suggested Corrections:
Sophos urges small and midsized businesses to implement strong security practices, including regular vulnerability patching, enabling MFA across all accounts, auditing remote access infrastructure, and retiring outdated systems to reduce exposure to potential attacks.

Link(s):
https://news.sophos.com/en-us/2025/...threat-report-cybercrime-on-main-street-2025/

https://www.bleepingcomputer.com/ne...et-devices-compromised-with-symlink-backdoor/

https://cloud.google.com/blog/topic...exus-exploiting-critical-ivanti-vulnerability